Writing, publishing, geekdom, and errata.

Congress Killed Your Privacy, What Next? - Bonus Step: Selective VPN routing from your router

No comments
When you're setting up your VPN connection, the most comprehensive way is to do it through your router. 

The problem is that if you want to reach anything inside your LAN from the internet - say, SSH, a webserver at your personal domain name, a file server, MPD streaming radio, whatever.

You could use iptables.  Here's a nice example page that covers most scenarios that you need, though it's written for Tomato routers. 

Instead, I'm going to use policy based routing with DD-WRT (How to supercharge your router with DD-WRT).  The same should apply to any other router that can handle both OpenVPN and policy based routing.

This is definitely in "advanced user" territory, though I'm going to do my best to make this as simple as possible. 

As I previously mentioned, I use Private Internet Access. If you use another VPN, they should have a setup guide for your router.  Here's PIA's guide for DD-WRT.  The key part is assigning static IP addresses for your servers (something you've probably already done if you have a home server!) and telling the router to route EVERYTHING ELSE across the VPN.

What you'll want to find is the section in your router's OpenVPN setup labeled "Policy Based Routing".

As you can see, there's a range of IP addresses in there.  In my case, (not really) is where my server lives.  So I went to http://www.ipaddressguide.com/cidr and put in the IP ranges of everything else that my router assigns as IP addresses in there.  From that point, it was a simple cut-and-paste, reboot of the router, and then only the server was available directly from the internet without going across the VPN tunnel.

This is useful, because my server is already pretty hardened against attack.  And because I have Apache2 running on that server (something you can do with the inexpensive CHIP or Raspberry Pi) that gives you a lot of flexibility.

That's via Apache2's proxy capabilities.  When you enable mod_proxy in Apache, you can use it to forward ports and all sorts of stuff.  For example, this guy used Apache to proxy his SSH requests.

Let's say you have Icecast running on, with port 8000, but your home server is a different machine (, for example) at http://example.com .   You set up the policy based routing above to route everything except over the VPN.  Then, in proxy.conf on, you put these lines:

ProxyPass /icecast
ProxyPassReverse /icecast

This actually makes it easier for you, because now you can reach your IceCast stream at http://example.com/icecast with no port number.  Additionally, it means that you're providing an extra layer of protection for your LAN from the wider internet.

If you have to deal with iptables - for example, if your router's firmware doesn't support it, or if you just want to, give it a try.  Here's a few guides I referred to but couldn't get to work:




Finally, speed.  You will experience slowdown with speed when using a VPN. It's partially the encryption, though OpenVPN is usually the best protocol.  You may need to tweak your MTU, which server you connect through, or even what ports to optimize your speed.

Additionally, your router might be struggling with the computational requirements of the encryption for a VPN.  In such a case, you might be better off having the individual machines run the VPN separately.  That turned out to be the case for me (after all the researching and work I'd done).  Luckily, PIA allows 5 devices simultaneously, so there's no need for me to buy a new router yet.

Here's some comparison speeds to keep in mind (and switching to TCP instead of UDP made no difference):

Type: Ping | Download / Upload
Regular: 32 | 23.83 / 2.36
VPN on PC: 47 | 22.43 / 2.21
VPN on Router: 35 | 5.82 / 2.28

No comments :